Created attachment 14633 [details] poc pdf The attached file will cause a stack out of bounds read in the function gs_type2_interpret. This can be seen by compiling ghostscript with address sanitizer (-fsanitize=address in CFLAGS). Here's the stack trace from asan: ==1361==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7fff9000c6d8 at pc 0x0000009bae32 bp 0x7fff9000c6b0 sp 0x7fff9000c6a8 READ of size 4 at 0x7fff9000c6d8 thread T0 #0 0x9bae31 in gs_type2_interpret /f/ghostscript/ghostscript-9.22/./base/gstype2.c:381:46 #1 0x1113e8e in copied_type1_glyph_outline /f/ghostscript/ghostscript-9.22/./devices/gxfcopy.c:1091:16 #2 0x1519c66 in gs_default_glyph_info /f/ghostscript/ghostscript-9.22/./base/gsfont.c:1036:12 #3 0x97f0b9 in gs_type1_glyph_info /f/ghostscript/ghostscript-9.22/./base/gxtype1.c:608:16 #4 0x10af460 in pdf_compute_font_descriptor /f/ghostscript/ghostscript-9.22/./devices/vector/gdevpdtd.c:457:16 #5 0x10b1720 in pdf_finish_FontDescriptor /f/ghostscript/ghostscript-9.22/./devices/vector/gdevpdtd.c:637:17 #6 0x10fcd56 in pdf_finish_resources /f/ghostscript/ghostscript-9.22/./devices/vector/gdevpdtw.c:677:24 #7 0xf5923b in pdf_close /f/ghostscript/ghostscript-9.22/./devices/vector/gdevpdf.c:2631:13 #8 0x14f042a in gs_closedevice /f/ghostscript/ghostscript-9.22/./base/gsdevice.c:720:16 #9 0x1ae58f1 in gs_main_finit /f/ghostscript/ghostscript-9.22/./psi/imain.c:951:20 #10 0x578170 in main /f/ghostscript/ghostscript-9.22/./psi/gs.c:139:9 #11 0x7f085c302f85 in __libc_start_main (/lib64/libc.so.6+0x20f85) #12 0x47f2b9 in _start (/r/gs/gs+0x47f2b9) Address 0x7fff9000c6d8 is located in stack of thread T0 at offset 24 in frame #0 0x9b3e4f in gs_type2_interpret /f/ghostscript/ghostscript-9.22/./base/gstype2.c:125 This frame has 4 object(s): [32, 224) 'cstack' (line 130) <== Memory access at offset 24 underflows this variable [288, 300) 'mask' (line 463) [320, 336) 'join' (line 729) [352, 368) 'end' (line 729) HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-underflow /f/ghostscript/ghostscript-9.22/./base/gstype2.c:381:46 in gs_type2_interpret
It would be extremely helpful if you included your exact command line, and the release version (or git SHA) that you test with. I was able to reproduce the issue in this case, but in the future, lacking the above information may mean the bug being closed due to insufficient information.
Fixed in: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=eb5f2a85c5